Безопасность информационных технологий (Sep 2021)

A formalized model of an organization information security audit for compliance with the requirements of standards

  • Alexei A. Sirotskiy,
  • Sergei A. Reznichenko

DOI
https://doi.org/10.26583/bit.2021.3.09
Journal volume & issue
Vol. 28, no. 3
pp. 103 – 117

Abstract

Read online

In general the overall task of an information security audit is to verify that the security system of an object meets the set of criteria that determine the requirements for the security level. In this regard, it is necessary to define and to establish a set of criteria reflecting the security level of the facility and to identify indicators for which objective verification procedures can be carried out. Information security audits can be conducted to ensure compliance with all information security standards. Due to the lack of instructional methodologies for auditing activities to assess the compliance of organization information security with the requirements of systemically important generally applicable documents and standards, studies were carried out on the content and formalizability of requirements using the example of the GOST R ISO/IEC 17799-2005 standard in terms of the building an instructional methodology for auditing IS possibility for compliance with this standard. The purpose of the study is to form a formalized audit methodology when conducting an audit of information security for compliance with standards and regulatory requirements for information security in the absence of developed and generally accepted methods. In the following a formalized model for auditing the organization's information security for compliance with the requirements of standards is developed. The model is based on the principles of maximum independence and objectivity of audit activities. The authors of the paper suggest an approach, which is based on a system of objective indicators comparable to protection functions, and consists in the formation of check lists with appropriate criteria for the correlation of indicators and methods of proving the facts revealed as a result of an audit. On the basis of the proposed model and methodology, it is possible to develop the check lists for any descriptive standard for which an audit is required.

Keywords